A critical vulnerability in ExifTool, the widely used open-source metadata utility, allows attackers to compromise macOS systems by embedding malicious shell commands within a single image file. Tracked as CVE-2026-3102 and discovered by Kaspersky’s GReAT team in February 2026, the flaw enables arbitrary code execution when a user processes a crafted photo, posing a direct threat to enterprise environments reliant on automated image handling.
Vulnerability Origin: Unsanitized Date Input
The vulnerability resides in ExifTool’s `SetMacOSTags` function, which processes file creation dates via the macOS Spotlight attribute `MDItemFSCreationDate`. During metadata processing, the tag’s text content is assigned to the `$val` variable. While the filename parameter is properly escaped before reaching the `system()` call, the date value is passed without sanitization. This allows an attacker to inject single quotes into the command string, breaking the expected structure and executing arbitrary shell commands with the privileges of the user running ExifTool.
Exploitation Sequence and Payload Delivery
Directly writing a malformed date payload into `FileCreateDate` fails because ExifTool’s `PrintConvInv` filter rejects invalid date formats. Attackers bypass this by using the `-n` flag, which forces ExifTool to accept raw, unformatted data. The exploitation leverages ExifTool’s copy mechanisms: first, the attacker injects a malicious payload into an unrestrained source tag like `DateTimeOriginal` using the `-n` flag. Then, using the `-tagsFromFile` feature, the tainted metadata is copied into `FileCreateDate`. Because the vulnerable code path triggers only during a copy operation, the unsanitized input flows directly into the `system()` sink, invoking the macOS `/usr/bin/setfile` command and executing the payload via command substitution.
Patch and Enterprise Mitigations
Developers addressed the flaw in ExifTool version 13.50 by replacing fragile string concatenation with a dedicated `System()` wrapper that passes a secure list of arguments to system calls. This eliminates shell interpretation risks. Organizations using macOS for photo processing, asset management, or journalism workflows must audit and upgrade all scripts and applications to version 13.50 or later. Additionally, scan for embedded older ExifTool libraries, isolate untrusted file processing in virtual environments with restricted network access, and enforce endpoint protection on any macOS device connecting to corporate networks.
This incident underscores a broader enterprise risk: the assumption that image files are benign metadata containers. As attackers increasingly weaponize common file formats, security teams must treat metadata processing pipelines as critical attack surfaces, not peripheral utilities.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
